 Hello, I received another malicious document that I'm going to analyze now. Now just one remark before I begin. If you saw my previous video that I released on the 1st of April 2018, that was actually my April Fool's video because it's a real analysis of a PDF document, but this time I'm speaking in the local dialect of Brussels, my hometown. So it's an office document that I'm analyzing here. So with OliDump, I'm taking a look. Okay, and we can already see that it contains macros here, macros, and the M indicator. But before we look into the macros themselves, I also remarked that there is a large stream here, stream 15, that's about 400K of data. And if you see entries like this, streams like this with macros and name and slash f slash o, those are actually forms, VBA forms with properties, and in the f stream you have the name of the property, and in the o stream you have the value of the property. And malware orders will often hide elements of the malicious documents, and sometimes even the full payload in properties of VBA macros, VBA forms for example. So we can have a look in stream 15, like this. Okay, and we can see here that we have hexadecimal data, and it starts with 4D5A. If you don't know this by heart, 4D5A, those are R-ski letters mz, so that's the start of a Windows executable. So this could be a Windows executable, and you can see it goes on for quite some pages. So we are going to try to decode this, and we can use my base64dump tool for this, because base64dump can not only dump base64 encoding, but also other encodings like hexadecimal. So we select stream 15, and this time we want to dump the binary content, and not to an ASCII hexadecimal dump, but we want to dump the stream itself, so with option D, and then we pipe this into base64dump. By default base64dump will try to find base64 strings, but here we are going to use an other encoding, we are going to instruct base64dump to use hexadecimal encoding. So indeed, as you can see here mz and the start of a PE file, here you have the md5 hash of the decoded base64 string, and if you look that up on VirusTotal for example, you will see that it is indeed malware. Now we can decode this one, extract this one, so we launch our command again, we select the first element, and we dump this, and by doing this we dump the data, well let's first do an ASCII dump and look at the beginning, like this, and you can see here indeed this program cannot be run in DOS mode, so it certainly looks like a PE file. So we are going to pipe this into my tool PE check, that will do some analysis of PE files, like this, nope, that's a mistake of me, I did an ASCII dump, and I want to do a binary dump like this, now it will work, and indeed it has recognized the PE file with all kinds of information, and in the end here we can see that it's actually a visual basic executable.